A recent EU decision has turned the tide in the international tension between retention of data for the purposes of monitoring, surveillance, prevention of crime and terrorism and an individual’s right to privacy and in one fell swoop rendered the 2006 Data Retention Directive invalid from the date it had effect.

The original introduction of this legislation came in the wake of the Madrid bombing in 2004 and the 7/7 attacks on the London transport network in 2005. At the time some described it as draconian and disproportionate and they will now be feeling vindicated by this major European decision.

Under the EU Directive 2006/24 (Data Retention Directive) Internet service providers and Telecommunications companies are required to retain data for between 6 months to 2 years from landlines, computers, fax machines and mobile phones. Member states fixed the period of retention and determined when access to the material could be authorised. Article 1 of the Directive states that its purpose is; “ to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law.”

Member states were obliged to ensure the preservation of data to trace and identify the source of a communication; to identify the destination of a communication; to identify the date, time and duration of a communication; to identify the type of communication; to identify users’ communication equipment or what purports to be their equipment; and to identify the location of mobile communication equipment.

The Courts decision means that member states are no longer obliged to require telecommunications companies to retain large quantities of their customers’ data.

The Court considered the directive in light of the right to respect for private and family life and protection of personal data and decided that the interference set out in the Directive was not justified leaving persons with a feeling that their private lives are the subject of constant surveillance.

In particular the Court was concerned about four particular issues:

The Directive was excessive in establishing monitoring of the entire population rather than those who might be linked to serious crime.

The lack of effective control over access and use of the data – in particular by not insisting that a court should approve requests for data.

The Directive required that data should be stored on all citizens for an extended period without any clear justification as to why that period was chosen.

The lack of adequate security for the stored data, making it open to attack by hackers and (by implication) foreign intelligence services.

The decision can be seen as a clear water shed in respect of the protection of fundamental privacy rights but inevitably Governments and law enforcement agencies will continue to press for access to personal data. It seem likely there will be further provision introduced which will allow for some surveillance following the principals set out by the court. The recent public concern about mass surveillance will no doubt have influenced public views on data retention and therefore the battle ground is set with the Court making it clear that public safety will not trump an individual’s right to privacy. The writers view is that such checks and balances are to be welcomed and that it is likely that this decision will be central to European privacy rights jurisprudence.